From nobody Thu Apr  2 01:08:58 2026
Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com
 [209.85.214.182])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D217C277C81
	for <linux-kernel@vger.kernel.org>; Tue, 31 Mar 2026 03:56:58 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.182
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1774929419; cv=none;
 b=MR0UDYc8sK+hxrFMqQyhNvOKW6fR1/xDTQbj1hGa6TKRuwHQvr0q+eMRncAIqR+LQigqeUCHbRNxKtH28ffx8MvC4mxuKRewaD6f90AdzesZIOxvYELvjNzwhoe6ZPvnUI3/pBUH3mjBExnz/n9ir1xkhxA3IZGXxfaDADE+sHI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1774929419; c=relaxed/simple;
	bh=sBpTeIDTxFTEcP1EdffM+/HbnMaP4LD5XXijFqb4WO4=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:
	 In-Reply-To:To:Cc;
 b=IigWw3Yn+Zr1xOJH7F6+DaOHwtArgP3wQDUscyAFnbClL5SDupd2GE9llopAJu0LMYVAyrTdACelzzNkcgWV+6Lm1RDbcehJWbw3y/FvBTj9I2LxBfM7qr6PoPLUjqn5rOpj2w0YCAEN5/rfS5E3GGu+JizKGNHYTXYKY0WEpLQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=GwmN9fp3; arc=none smtp.client-ip=209.85.214.182
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="GwmN9fp3"
Received: by mail-pl1-f182.google.com with SMTP id
 d9443c01a7336-2b25cf1b5f0so6038595ad.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 30 Mar 2026 20:56:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1774929418; x=1775534218;
 darn=vger.kernel.org;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=9gJ33OB4rjx34cR+Fv1tlLCTXuTAsGru5JzrTqHdTao=;
        b=GwmN9fp39wdt/IxLIBbfJcb+sYUVSrctUVc+poyxZ1aLDq8MTNL0Aa1o58JL3vprZW
         ZW4++IOUw6MSwmJRG3A2EbqN/P+XR9DwZREB168enQ3i8nc5IrCrGUlYyX59KnzZ+JS+
         +7XfjOaITTV2FA1F9UIqOZ9zsnI87EVhKUOKNCl6Fmoj47aVEL70wERNWF+2mUHXhd3A
         XLDw+KVC4ZVWsTkO8YiF3K+qTitGPbxV2QRMif69DVzIAH9DBVPduu303S/5JD+8MPBF
         WlBap3AUuqKuxO+WDbQDzvuuG6e54m5kQ0Y8XoNidGO3hSPOfu9Vz0qq1fZ+IERIk0zY
         Bd8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1774929418; x=1775534218;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=9gJ33OB4rjx34cR+Fv1tlLCTXuTAsGru5JzrTqHdTao=;
        b=tZJvlhekXGKJlZ5zaF7a/IMWFXEKx3TkDrY63DcCmeJ1Xm9jvrEUHjcwofdL/z6ztl
         viW0dGJOmaYtlxFMtXDoVpvJ7DximGL2n6PY92uqmjxSA+/X92cBGTy34UPWNNx6ZOaA
         T1YHOwHwFMYcDQoZI/lhYqkA3GEqfe6nc6ZsQAA1cBA9DUZhbWioA58952HtAuqbPJ6W
         i52tG0ivgjfxoM+k08lxHXlQwiKLC6bnoHpByKXpPMMqmYqdUEuq5lg79Wbz1tC8ehe4
         EGV4RbTZg4x1DAz2IjS1qYxlP8o5h9Rjig6aJRivKUkr9dYnOP86hujF1DrfozwMp04/
         X7Cg==
X-Forwarded-Encrypted: i=1;
 AJvYcCWY+tOED5lUVYoIOEuooe1Tj9QMYoko2v0FLi7nSvNl61GwGAUKf0tSNeA0rLtnniW0mIGG8xMwGTotXrI=@vger.kernel.org
X-Gm-Message-State: AOJu0Yxt+89wns/ueNfwqpxEHEe8KOBe3VsqMWuiEt4QsW4YdtRvYaik
	xFweuZEpaSOb54U4475MRkIB4UOoY2bXTlbqfy6aV4YhDG4vFH0sQ1+2S2ZAi8IP2H2ajw==
X-Gm-Gg: ATEYQzyQlz2nmbSJSIcaC1Ypspvjs3oFTL+oRJufPfAbxTu0rqkLQCMSpDdXxenNZir
	tmTZ7flIB8z97VUr53VOnaoKQbtWwPt/lFQ+IxfIzjNal+0TFEjA2bROflImJzSjf3qPNJkyjIX
	2rl+XJR/uCtGUEGZc7f9W2+m8DXrsYxJ+DUjQrJB3F7AacyPCmN/zJ9z/vEN0OIhammb6E2qnXh
	TneKceGcCl4IRRXqz9KZW2/cmO2h3QszE7TCorLA1h7Rm+cClP0syqgtADqhBRe+t6pG0NVPhTa
	cbLsw4nzsHceKtZjCxwsR7xu0oAkKtDBWtT3PUOyfeOgrxlcPR5ly2+uOyFtMSRkZunjQQ+NzYw
	sYNSi1kesZxqsJLINRyfT14htrU9YJP3PfqNvfAJCUyPKuvVkrNBfjtd7gbRpP74au1Fbkbf268
	0HPWe5SSB8tu95rShUISksiKrwhFSayWfrUhrgPjv6nPnw7w5LN2JTfwOujoG1RIpqktKZ3QHBB
	oXhEg0ghDFsQhmZEPgIhjG9IHzjunYqeB9UB615nJZy6IYL428=
X-Received: by 2002:a17:903:1aab:b0:2b2:539b:d29a with SMTP id
 d9443c01a7336-2b2539bd632mr62814925ad.23.1774929418137;
        Mon, 30 Mar 2026 20:56:58 -0700 (PDT)
Received: from
 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
 ([240e:34c:5765:500:c92f:4f4e:9953:45b7])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2b24266e487sm94680625ad.24.2026.03.30.20.56.50
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 30 Mar 2026 20:56:57 -0700 (PDT)
From: Hangbin Liu <liuhangbin@gmail.com>
Date: Tue, 31 Mar 2026 11:56:13 +0800
Subject: [PATCH net-next 3/4] ethtool: strset: check nla_len overflow
 before nla_nest_end
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20260331-b4-ynl_ethtool-v1-3-dda2a9b55df8@gmail.com>
References: <20260331-b4-ynl_ethtool-v1-0-dda2a9b55df8@gmail.com>
In-Reply-To: <20260331-b4-ynl_ethtool-v1-0-dda2a9b55df8@gmail.com>
To: Donald Hunter <donald.hunter@gmail.com>,
 Jakub Kicinski <kuba@kernel.org>, "David S. Miller" <davem@davemloft.net>,
 Eric Dumazet <edumazet@google.com>, Paolo Abeni <pabeni@redhat.com>,
 Simon Horman <horms@kernel.org>, Andrew Lunn <andrew@lunn.ch>
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
 Hangbin Liu <liuhangbin@gmail.com>
X-Mailer: b4 0.14.3

The netlink attribute length field nla_len is a __u16, which can only
represent values up to 65535 bytes. NICs with a large number of
statistics strings (e.g. mlx5_core with thousands of ETH_SS_STATS
entries) can produce a ETHTOOL_A_STRINGSET_STRINGS nest that exceeds
this limit.

When nla_nest_end() writes the actual nest size back to nla_len, the
value is silently truncated. This results in a corrupted netlink message
being sent to userspace: the parser reads a wrong (truncated) attribute
length and misaligns all subsequent attribute boundaries, causing decode
errors.

Fix this by checking whether the size of strings_attr would exceed
U16_MAX after all strings have been written, and give up nla put if so.

Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
---
 net/ethtool/strset.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/ethtool/strset.c b/net/ethtool/strset.c
index f6a67109beda..9c502b290f5c 100644
--- a/net/ethtool/strset.c
+++ b/net/ethtool/strset.c
@@ -441,6 +441,10 @@ static int strset_fill_set(struct sk_buff *skb,
 			if (strset_fill_string(skb, set_info, i) < 0)
 				goto nla_put_failure;
 		}
+
+		if (skb_tail_pointer(skb) - (unsigned char *)strings_attr > U16_MAX)
+			goto nla_put_failure;
+
 		nla_nest_end(skb, strings_attr);
 	}
=20

--=20
Git-155)